Conversation
|
感谢你的贡献,思源有你更精彩! |
|
Updated some logic and added checks in ImportData, thanks. |
|
Renaming the file is now working perfectly, but as syr1ne mentioned in his PR renaming should be done before the ImportData function in Screen.Recording.2025-06-16.at.8.50.58.PM.movFrom logs: ...
I 2025/06/16 20:51:07 import.go:139: import data [name=xss-space.zip, size=40934]
I 2025/06/16 20:51:07 import.go:662: import data from [/Users/octodi/SiYuan/temp/import/20250616205107.zip]
W 2025/06/16 20:51:07 import.go:697: renaming invalid custom emoji file [" onerror=alert(1) src=".png] to [/Users/octodi/SiYuan/temp/import/20250616205107/data-20250616095415/emojis/quot onerroralert1 srcquot.png]
I 2025/06/16 20:51:07 import.go:710: import data from [/Users/octodi/SiYuan/temp/import/20250616205107.zip] done
...You could test by importing this data: xss-space.zip |
|
Found the problem. This is because the icon set previously already has an XSS problem. It will be fixed later. |
|
nice work @88250 i have figured something out. renaming file is good, we dont need to change that. but it will be better we can just sanitize the conf.json because whatever shows on the electron app will also be in the conf.json |
|
I think we need to apply FilterUploadFileName() at multiple levels,
Also here And I think here also And everywhere where documents are rendered |
|
Added checks to initialize Conf and set notebook icon, please review. |
|
the XSS still works. for i, emoji := range Conf.Editor.Emoji {
if strings.Contains(emoji, ".") {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
emoji = util.FilterUploadFileName(emoji)
Conf.Editor.Emoji[i] = emoji
}
}i guess that's all what is left and will fully patch the vulnerability. |
|
Thank you very much, please test and verify. |
|
XSS is still working. i just figured out that the siyuan in not loading |
|
For me changing emoji name in Document properties worked % cat ./data/20250617125532-i8qpgrv/20250617125535-nvysv69.sy
{"ID":"20250617125535-nvysv69","Spec":"1","Type":"NodeDocument","Properties":{"icon":"changed.png","id":"20250617125535-nvysv69","title":"subdoc","type":"doc","updated":"20250617125538"},"Children":[{"ID":"20250617125535-gbr9xnz","Type":"NodeParagraph","Properties":{"id":"20250617125535-gbr9xnz","updated":"20250617125535"}}]} |
|
I think we should perform sanitization on UI side instead rename file or filtering them on backend |
|
Thank you, thank you, I have revised it again, please review it.
The front-end UI is used in too many places, so it is more convenient to process it on the back-end. |
|
Changes works now, Thanks ❤️ |
|
Thank you both! |
3 participants
bug
its the half fix for #15034
the code is renaming and sanitizing the XSS payload named emoji files.
everything works fine, the only thing left is this fix should be executed before the ImportData function in
kernel/model/import.goor before emoji is loaded on the frontend otherwise, the XSS still execute whenever someone imports the zip file.